Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Color Palette Expression based on two fields

strehb18
Path Finder
Friday

Is it possible in xml to create a color palette based on two separate fields. I would like a field to be a specific value to color another field while that field also being conditional. 

In my case, I have a field called task_pct and one called labor_variance. I would like to only do a color scheme if task_pct is 1.00 for 100% complete and then red for anything above 0 and green for anything below 0 while also ignoring coloring if it is not 1.00. 

Labels (4)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
Saturday

You can set up two panels with identical labor_variance, then hide one or the other based on task_pct.  Like this:

Color

No color

negative-colored.pngpositive-colored.png

image.pngpositive-no-color.png

 

The following code borrows from How to set token from search and then conditionally show a panel.

<form version="1.1" theme="light">
  <label>Color palette based on two values</label>
  <description>https://community.splunk.com/t5/Dashboards-Visualizations/Color-Palette-Expression-based-on-two-fields/m-p/757387#M59355</description>
  <fieldset submitButton="false">
    <input type="radio" token="task_pct_tok" searchWhenChanged="true">
      <label>task_pct</label>
      <choice value="0">0</choice>
      <choice value="0.5">0.5</choice>
      <choice value="1">1.0</choice>
      <default>1</default>
    </input>
    <input type="radio" token="labor_variance_tok" searchWhenChanged="true">
      <label>labor_variance</label>
      <choice value="-0.2">-0.2</choice>
      <choice value="0">0</choice>
      <choice value="0.5">0.5</choice>
      <default>0.5</default>
    </input>
  </fieldset>
  <row>
    <panel depends="$useColors_tok$">
      <title>task_pct is $task_pct_tok$</title>
      <single>
        <search>
          <query>| makeresults format=csv data="labor_variance,task_pct
$labor_variance_tok$,$task_pct_tok$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <done>
            <condition>
              <eval token="useColors_tok">if($result.task_pct$ == 1, "true", null())</eval>
            </condition>
          </done>
        </search>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0</option>
        <option name="rangeColors">["0x53a051","0xdc4e41"]</option>
        <option name="rangeValues">[0]</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel rejects="$useColors_tok$">
      <title>task_pct_is $task_pct_tok$</title>
      <single>
        <search>
          <query>| makeresults format=csv data="labor_variance,task_pct
$labor_variance_tok$,$task_pct_tok$"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0.0</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
</form>

The same idea can be used in Dashboard Studio.

In this example, the same search is performed in both panels.  If your search is expensive, you can set it up in a base search and reference the base search in panels.  In Simple XML, there is no clear documentation about how to do this; and it generally requires lots of diligence.  In Dashboard Studio, base search is managed as a feature.

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...